Firefox Sync

Firefox Sync is nice. Nice enough I’ve switched to using Firefox on iOS. Almost entirely for the ability to send a tab to my mobile device. This happens to me all the time; I have something interesting or useful on my desktop browser and I want to look at it on my iPhone. Now instead of emailing myself a URL awkwardly I can just send the tab to the iPhone and it’s done.

The other feature I like is the ability to open URLs that are or were recently open in another browser. That way I can grab something of interest on my iPhone even if I forgot to send it from the other computer. This feature’s less useful to me since I tend not to leave tabs open. Also the sync seems to be minutes out of date, so sometimes what I want isn’t available.

Firefox Sync shares a lot of state: bookmarks, saved passwords, browser history, installed addons, etc. It all seems pretty useful and it all seems to work well.

 

Twitter streaming API workarounds: lists and following

Twitter is shutting off their streaming API. After months of warning, the actual deadline is in three days, Thursday the 16th. If you were using the streaming API to follow at most a few thousand accounts, there’s a workaround: Twitter lists.

The idea is you create a Twitter list containing all the accounts you want to follow. Then you poll lists/statuses for the timeline of tweets. Polling isn’t awesome but the default rate limit is once a second, so it’s not too bad. Twitter lists are limited to 5000 accounts, so if you need more than that this won’t work (but consider multiple lists).

The main thing you’ll lose this way is replies; Twitter lists don’t include replies not to list members. (Or maybe not to people you follow, I’m confused on that point.) But otherwise it seems to work. If you’re working with old Twitter code be sure you understand about extended_tweets; you almost certainly want to be getting them.

One wrinkle: creating a list of thousands of people isn’t easy. It looked to me like there was a hard limit of adding 1000 users to a list every day. Also maybe a soft limit of hundreds in a short period of time.

The other option I tried was instead of a list, create an account and follow the users of interest. Then look at their home timeline. This doesn’t work as well for various reasons. First, Twitter mucks with a home timeline more than a list timeline, more risk of reordering and stuff. Also the rate limit is lower (once a minute). Finally it seems harder to quickly follow thousands of new accounts, I ran into more draconian rate limits.

One more wrinkle: listing or following a user notifies them you are interested in them. Following people via the streaming API was completely passive, now users have a hint they’re being watched. It’s not a big deal but some users may choose to block you when they get listed / followed.

Standard Notes

I’ve been using SimpleNote for a long time. It’s a great simple cloud-synced notepad and a very nice free service Automattic maintains. Type some text at it and it remembers, you can access it with a nice desktop app or a nice mobile app or any website. The problem is SimpleNote isn’t built for much security. They store your notes in plaintext on their servers. That’s probably OK but if they ever have a security breach we’re in trouble. And oddly, my notes turn out to have some pretty secure content in them. In particular I often temporarily save a password or SSH key to them. Not permanently, but with undo it’s not clear you can ever really delete anything.

Enter Standard Notes. It looks to be very similar to SimpleNote in concept, but it has end-to-end encryption built in, so it’s more secure. (Also you can never recover your notes if you lose your password.) It’s free and open sourceish, looks like they have a Freemium business model where you pay for extra features like fancier editors with formatting, reskinning the UI, etc.

Notes are tagged; in that way it’s a little like Notational Velocity / nvAlt.

The Windows desktop app is Electron and looks to share code with the web interface. The UI is a bit funky, it does not look like a native app, but it’s totally usable. Not sure how the iPhone app is implemented (I’m guessing Javascript as well) but it looks fine.

Trying it out is easy, there’s an import from SimpleNote that works OK, main wrinkle is all my deleted SimpleNotes showed up again.

I love the voice of their help page. Someone very opinionated (in a good way) is building this product. I particularly like this quote:

Your data is a liability to us, not an asset.

 

Door King 1812 programming notes

I have a gate at my house. It’s driven by a LiftMaster Miracle 1 motor unit, which in turn is commanded by a Door King 1812 gate controller. This was all installed around 2000 but the design probably predates that. I got deep into the setup of these things trying to make the gate do what I want, and failed. Mostly because I don’t understand the Miracle 1.

The Door King 1812 is still sold today, still supported. The manual is here, I reference it by section number (like 2.2.1 for master code).

Programming it seems daunting. I tried at first to get it working using the PC software and a modem, but that requires a monthly $$ subscription to use and seemed pretty rickety anyway. Instead I used the touchtone programming interface. This is overwhelming at first, but really not so hard.

The key thing here is the gate controller is wired into my phone line. It’s listening in-line and can be programmed to work as an intercom using the phone wires, to synthesize a ring on my phone line, and even to answer and make phone calls. I talk to the controller via my phone; just pick up and press *7 at the dialtone to get the gate’s attention and it answers with a beep.

One wrinkle: some steps require you press 0 and # simultaneously to end programming. (I write this as 0-#). I found neither phone keypad I have is able to send two tones at once. I ended up having to use the gate keypad to program things so I could enter 0-#.

Here’s some stuff I learned:

Master code. You need this to do anything else. Old ones had a default of 9999, newer ones have a default of the last 4 digits of the serial number. Someone had written mine down on a sticker inside the keypad box. See 2.2.1 for setting a new master code; you open the keypad box and flip a switch. I’ll use “xxxx” to stand in for this code later.

Attention. The gate listens for a code, *7 by default. It beeps when it responds. All commands to the gate start with that. See 2.2.2 to change the number 7. You can inspect the state of the gate relays with this attention command, as described in 4.11. After a brief delay the gate will beep at you to tell you which relays are open.

Basic operation from house phone. *7 9 to open the gate. In detail: the controller is programmed to respond to simple commands on digits 1-9, described in 4.13. *7 gets the gate’s attention, and then it’s sent the command 9. These commands are called “tone open numbers” in the manual and their programming is explained in 2.3.2.

Basic operation from keypad. #zzzz to run an entry code program, described in 4.4. Typically this is something to open the gate. You program codes (like #1234) and give them to friends who you want to get in.

Program strike time. Described in 2.3.1. Various commands tell a relay to operate for N seconds before turning off again. That’s how you have it open the gate for N seconds, then close it again automatically. I believe my gate was programmed to do this for 2 seconds (much less than the time it takes to swing the gate). I think this is the way the Door King signals the motor controller; a short pulse on the relay.

Program tone open number. Described in 4.13 and 2.3.2. *7 *05xxxx 1* 987#* 0-#. This is super complicated. I’m telling relay 1 that when I press 9 I want “momentary activation” for the strike time, when I press 8 I want “hold open”, when I press 7 I want it to deactivate, and nothing for the 4th command (#).

I’ll be honest and say I’m confused about what I ended up with. *78 seems to cause the gate to hold open. Then *78 again will cause it to hold closed. *77 doesn’t do anything?

Program entry codes. Described in 2.6.1, see 4.5 for definitions of “momentary” and “hold”. I entered *7 *02xxxx 18* zzzz* 0-#. That sets up the new entry code zzzz to location 18, a “hold” location. That should cause it to hold the gate open when #zzzz is entered, then close when #zzzz is entered again. If I’d set it to a “momentary” location again like the number 11 then it would only open the gate for the strike time, then close it again.

Security hardening. The controller can answer and make phone calls. I don’t want that. Sections 2.3.5, 2.5.1, 2.5.3 all seem relevant things to turn off.

Garage door remote. My gate also comes with garage door buttons to open. The Door King doesn’t have anything to do with this; it’s wired directly to the Miracle 1.

There’s more the gate controller can do. You can set it so some codes only work at certain times, or certain days. You can program it to accept and make calls. Etc etc. I didn’t do any of that.

The relay and the Miracle 1 motor. This is key to the whole programming. All the Door King is doing is turning a relay off and on. What does that mean to the motor?

I got lost here. The Miracle 1 isn’t really programmable, but does have a few configurable options. I believe ours was configured so that a signal from the relay means “open the gate, wait 45 seconds, close the gate again”. What I want is a signal to open the gate, then a second signal to close it again. The Miracle 1 manual suggests that’s not really possible but I know it used to work that way, so it must be. But in the process of tinkering with it I got the gate in a state where I couldn’t even make it open reliably. It may be that something’s wrong with the limit switches or the power supply. I got fed up and quit.

Two factor authentication overview

Bit of kerfuffle this week around Reddit, which had a security breach despite having two factor authentication enabled. Some basic introductory notes for folks wondering what’s going on.

  • Two-Factor authentication (or 2FA) is any login protocol that requires a second thing for logging in besides your password. Passwords are a terrible form of security, you should use 2FA for any account you care about. Definitely your email account and your bank. Also whatever is important in your job: your Amazon Web Services account, or your Twitter account, or whatever.
  • SMS (text messages) are often used as the second factor in 2FA: the website text messages you a one-time code you type in to the login page. You give the website your cell phone number to set it up. But SMS is not secure; it’s far too easy to convince a mobile phone company to hijack a cell phone number. SMS is better than no 2FA, but if you have any other option at all don’t use SMS. Note many accounts have a backdoor SMS recovery option that you only use if you lost your password; these are also insecure and seem to be what tripped up Reddit. SMS 2FA is also vulnerable to phishing and MITM attacks.
  • TOTP / HOTP, one-time passwords, are also a common 2FA option and are pretty good. App generates codes every minute / every login and you type them into the page. You set it up by scanning a QRCode when you set up the login, then run an app like Google Authenticator, Authy, or 1Password to generate a number that you type in to log in. It’s what I use in practice. Not positive how safe it is to use 1Password to store both passwords and this second factor in the same system, so mostly I don’t use that. These are still vulnerable to phishing and MITM attacks.
  • U2F / Yubikey is the new hotness in 2FA. You have a physical device, a little USB key, and a special protocol that lets web sites authenticate through your browser to the key itself. The hardware is designed to be secure. Also the second factor that’s used is phishing resistant. Yubikeys are quite common in the tech industry but does require software support that’s not available everywhere.
  • Push-based 2FA, where you have a custom app on your phone that pops up a confirmation dialog. You press a single button to approve the login and you’re done. It’s very convenient. I first saw this in the Blizzard Authenticator. Duo Push is a product you can use to implement push-based 2FA on your own sites. Apple’s iCloud 2FA also does a variety of push 2FA along with also requiring you type in a code. I don’t know how secure push-based is but I’m guessing pretty good, at least the obvious phishing attacks won’t work.

tl;dr: use 2FA on important accounts. Avoid SMS if you can.

Using a modem in 2018

I’m wanting to program my Door King gate controller. It’s hooked into our phone line and can be programmed via touchtones or with a modem. So why not? I bought a modem. $16 for a USB 56kbps modem. I even made an unboxing video.

I plugged it in to my Windows 10 box and it was just recognized, no driver futzing at all. It even seems available for use for faxing and dialup. But that’s far too new-fangled, so I looked around and found that Tera Term still exists and can be used as serial port console software. Also found at least one dialup BBS online. A few half-remembered Hayes AT commands later and we have connection! Not sure why it only connects at 26400kbps, but I’ll take it.

Screenshot_1.png

 

Having a bit of trouble finding the modem to connect to it. Tera Term seems to think my modem is COM3 and worked first time I tried it. Windows Fax & Scan sometimes identifies a fax device, sometimes doesn’t. And the Door King software is not identifying any modems although I can manually tell it to use COM3.

Worse, the Door King software seems to require an account that I pay for in order to use the programming software. I got as far as registering for the software and getting my password mailed back to me in plaintext before I saw it was $6/month. Forget that. The manual talks about a “DoorKing Auto-Programming Software for Windows” which is different from the “DKS Access Plus” software I can find online. I’ll dig a bit more tomorrow, but this whole ridiculous escapade into modems may be coming to an abrupt end.

AXIS 1034-W security camera setup

A couple years back I bought a wireless security camera, an AXIS 1034-W, and did a halfass setup using the ancient Linux program “motion” to do the heavy work of recording video. I just revisited all this using the on-board features of the camera itself and it’s so much better. This product is obsolete; the newer Axis M1065-LW looks better in lots of ways and some of these notes probably don’t apply. And there’s a whole world of other manufacturers making security cameras, but for me anything with cloud based video uploading like NestCam is a non-starter.

The hurdle is this old camera is really designed to be configured in MSIE, with ActiveX controls (no really) and a Java applet (I know, I know!). Once I got IE 11 fired up it got a whole lot easier to set up the camera. You literally can’t configure the motion detection without running Java. Dumb!

Anyway I’m not going to document everything I did. But the basic thing was to enable audio recording (off by default for some reason), then set up a “quality” stream profile to capture 1280×800 H.264 with audio. Then I configured the image motion detection to trigger on very small objects (ie: far away from the camera) and set up an action for it to record any detected motion to an SMB share on the local network.

End result is pretty good. The main drawback of this camera model is it doesn’t illuminate the scene nor record with infrared. So it doesn’t work very well in the dark. Newer models do. It does have a passive infrared sensor for motion detection but it doesn’t seem to work well enough.